CI run for PR #10479 #1785
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Add `external` label to issues and PRs created by external users | |
on: | |
issues: | |
types: | |
- opened | |
pull_request_target: | |
types: | |
- opened | |
workflow_dispatch: | |
inputs: | |
github-actor: | |
description: 'GitHub username. If empty, the username of the current user will be used' | |
required: false | |
# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job. | |
permissions: {} | |
env: | |
LABEL: external | |
jobs: | |
check-user: | |
runs-on: ubuntu-22.04 | |
outputs: | |
is-member: ${{ steps.check-user.outputs.is-member }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- name: Check whether `${{ github.actor }}` is a member of `${{ github.repository_owner }}` | |
id: check-user | |
env: | |
GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }} | |
ACTOR: ${{ inputs.github-actor || github.actor }} | |
run: | | |
expected_error="User does not exist or is not a member of the organization" | |
output_file=output.txt | |
for i in $(seq 1 10); do | |
if gh api "/orgs/${GITHUB_REPOSITORY_OWNER}/members/${ACTOR}" \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" > ${output_file}; then | |
is_member=true | |
break | |
elif grep -q "${expected_error}" ${output_file}; then | |
is_member=false | |
break | |
elif [ $i -eq 10 ]; then | |
title="Failed to get memmbership status for ${ACTOR}" | |
message="The latest GitHub API error message: '$(cat ${output_file})'" | |
echo "::error file=.github/workflows/label-for-external-users.yml,title=${title}::${message}" | |
exit 1 | |
fi | |
sleep 1 | |
done | |
echo "is-member=${is_member}" | tee -a ${GITHUB_OUTPUT} | |
add-label: | |
if: needs.check-user.outputs.is-member == 'false' | |
needs: [ check-user ] | |
runs-on: ubuntu-22.04 | |
permissions: | |
pull-requests: write # for `gh pr edit` | |
issues: write # for `gh issue edit` | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- name: Add `${{ env.LABEL }}` label | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
ITEM_NUMBER: ${{ github.event[github.event_name == 'pull_request_target' && 'pull_request' || 'issue'].number }} | |
GH_CLI_COMMAND: ${{ github.event_name == 'pull_request_target' && 'pr' || 'issue' }} | |
run: | | |
gh ${GH_CLI_COMMAND} --repo ${GITHUB_REPOSITORY} edit --add-label=${LABEL} ${ITEM_NUMBER} |